82
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Getting to Accountability Maximizing Your Privacy Management Program

Getting to Accountability · 2018-02-15 · Rule 3 Rule 5 Macau –Personal Data Protection Act 8/2005 –Personal Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 South Korea –Personal Data

  • Upload
    others

  • View
    4

  • Download
    0

Embed Size (px)

Citation preview

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Getting to Accountability Maximizing Your Privacy Management Program

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

• Introductions

• Accountability Fundamentals

• Privacy Management Status

• Privacy Management Program Strategy

• Develop a Resource-Based Plan to execute the Strategy

Agenda

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Getting to Accountability: Maximize the effectiveness of your privacy management program

Learn how to:

1. Present Your Privacy Management Status

Identify current state including owners of activities

2. Select a Privacy Management Program Strategy

3. Develop a Plan to execute the Strategy

Identify applicable privacy management activities

Prioritize based on resources and articulate a business case for additional resources

Workshop Takeaways

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Workshop Takeaways

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Accountability Workbook and Framework

Document the Status of Privacy Management

Define Required Resources

Record the Business Case for Additional Resources

Demonstrate Accountability

Accountability Paper

Privacy Program Strategy

Define Components of Privacy Program Strategy

Prioritized Program Implementation

Feedback Form

How can help you?

How we can improve workshop?

Workshop Materials

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Introductions

Facilitator Participants

TERESA TROESTER FALK Chief Global Privacy Strategist – NYMITY

and former Associate General Counsel (Privacy), Information Services

Please introduce yourself: • Name • Company • Role • Size of company • Industry/Sector • How many years of experience in privacy? • Size of privacy office • How would you characterize your program (just

getting started, average, mature, other)

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

A Data Privacy Research Company

Focus: Dedicated to global data privacy compliance research Established: 2002 Headquarters: Toronto, Canada Research: Inventor of several compliance methodologies & frameworks Funding: Partially funded by government R&D grants

Software Solutions for the Privacy Office

Privacy Management Solutions:

Nymity Attestor™ Nymity Benchmarks™ Nymity Templates ™

Compliance Research Solutions: Nymity Research™ Nymity LawTables™ Nymity MofoNotes

Nymity is a global data privacy compliance research company specializing in accountability, risk, and compliance software solutions for the Privacy Office. Nymity’s suite of software solutions helps organizations attain, maintain, and demonstrate data privacy compliance.

Introducing Nymity

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Accountability Fundamentals

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

• Learn about the evolution of accountability in the context of privacy and data protection

• Understand the current global discussion on accountability, why it is important, and how it applies to you

• See how compliance can be an outcome of accountability

• Learn how Nymity helps put accountability theory, discussion and guidelines into practice

Module Objective

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM 10

Guidelines on the Protection of Privacy

and Transborder Flows of Personal

Data

Article 29 Data Protection

Working Party Opinion

3/2010 on the Principle of

Accountability

PIPEDA Schedule 1 4.1

Principle 1: Accountability

U.S. Federal Trade

Commission

Enforcement Actions

APEC Privacy Framework

Canada: Getting Accountability Right

With a Privacy Management Program

OECD Revised

Guidelines

Columbia: Guide for the Implementation of Accountability in

Organizations

EU: General Data Protection

Regulation

Hong Kong: Privacy

Management Programme

Best Practice Guide

Australia: Privacy

Management Framework

EU: General Data Protection

Regulation

1980 2000 2005 2010 2011 2012 2013 2014 2015

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM 07/09/2015 Data Privacy Asia 2015: Your

Business Imperative - 25 – 27 August 2015

11

Requirement on data controllers to:

• Implement a privacy management program • Demonstrate, on-demand, privacy management

program to regulators or other accountability agents

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Asia Pacific Privacy Authorities: Accountability

includes a Privacy Management Program

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Part A – Baseline Fundamentals of a Privacy Management Programme 1. Organisational Commitments

a. Buy-in from the Top b. Data Protection Office and/or

Officer c. Reporting

2. Programme Controls a. Personal Data inventory b. Policies c. Risk Assessment Tools d. Training and Education

Requirements e. Breach Handling f. Data Processor Management g. Communication

Part B – Ongoing Assessment and Revision

a. Develop an oversight and review plan b. Assess and Revise Programme

Controls

Canada, Hong Kong, Columbia

Accountability Today – Best Practice Guidelines

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Nymity’s Research on Accountability

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

☑ Demonstrating Accountability

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Nymity breaks down the concept of Accountability into three components:

• Responsibility: The organization maintains an effective privacy management program consisting of ongoing privacy management activities.

• Ownership: An individual is answerable for the management and monitoring of privacy management activities.

• Evidence: The Privacy Office can support, with documentation, the completion of privacy management activities

Nymity Research on Accountability

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

The organization maintains an effective privacy management program consisting of ongoing privacy management activities

Privacy management activities are procedures, policies, systems, measures and other mechanisms impacting the processing of personal data.

Responsibility

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

An individual is answerable for the management and monitoring of the Privacy Management Activities

Privacy Office Activities Privacy officer responsibilities:

Operational Activities Privacy officer influences/observes:

Privacy Management Activities that are the Responsibility of the privacy office.

Privacy Management Activities that are the responsibility of operational units, including, Marketing, HR, IT, Legal, Procurement, and Product Development.

Ownership

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Documentation is a by-product of Privacy Management Activities

Privacy Management

Activities

Evidence/

Documentation Source/ Role Formal/ Informal

Maintain a data privacy policy Data Privacy Policy Produced by privacy office Formal

Integrate data privacy into e-

mail monitoring practices

E-mail monitoring

policy and procedure

Influenced by privacy office

Produced by Information

Technology

Formal

Measure comprehension of

data privacy concepts using

exams

System generated

report of data privacy

exam scores

Collected by privacy office

Produced by Human Resources

Informal

Provide notice in all

marketing communications

(e.g. emails, flyers, offers)

Examples of e-mail

marketing

communications

Influenced by privacy office

Produced by Marketing

Informal

Evidence

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Compliance is an Accountability Outcome

“A privacy management programme serves as a strategic framework to assist an organization in building a robust privacy infrastructure supported by an effective on-going review and monitoring process to facilitate compliance.” Privacy Management Programme: A Best Practice Guide – Hong Kong – Office of the Privacy Commissioner for Personal Data, Hong Kong http://www.pcpd.org.hk/english/publications/files/PMP_guide_e.pdf

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Accountability and Compliance The Evolving Privacy Landscape

COMPLIANCE COMPLIANCE ACCOUNTABILITY ACCOUNTABILITY SHIFT TOWARD

SHIFT TOWARD

Privacy Program Outcomes Privacy Program Infrastructure

Laws and regulations

Enforcement actions

Binding Corporate Rules

Responsibility

Ownership

Evidence

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Hong Kong –

Personal Data

(Privacy) Ordinance

Rule 4

Rule 1

Rule 2

Rule 3

Rule 5

Hong Kong –

Personal Data

(Privacy) Ordinance

Hong Kong –

Personal Data

(Privacy) Ordinance

Rule 4

Rule 1

Rule 2

Rule 3

Rule 5

Macau – Personal

Data Protection Act

8/2005

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Macau – Personal

Data Protection Act

8/2005

Macau – Personal

Data Protection Act

8/2005

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Malaysia – Personal

Data Protection Act

2010

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Malaysia – Personal

Data Protection Act

2010

Malaysia – Personal

Data Protection Act

2010

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Singapore –

Personal Data

Protection Act 2012

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Singapore –

Personal Data

Protection Act 2012

Singapore –

Personal Data

Protection Act 2012

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

South Korea –

Personal

Information

Protection Act Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

South Korea –

Personal

Information

Protection Act

South Korea –

Personal

Information

Protection Act Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Traditional Compliance Assessment Approach Assess compliance with each requirement individually

PHI Policies & Procedures PHI Policies & Procedures

Audit and Monitoring Audit and Monitoring

Many Regulatory Requirements Many Privacy Programs & Activities to to

Training and Awareness Training and Awareness

Company Policies and Procedures Company Policies and Procedures

Complaints and Investigations Complaints and Investigations

Records Management Records Management

Information Security Information Security

Vendor Management Vendor Management

Human Resources Human Resources

Legal Legal

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Rationalized Rules/Requirements Approach

Identify common elements and address outliers

Many Regulatory Requirements One Rationalized Rule Set

Hong Kong –

Personal Data

(Privacy) Ordinance

Hong Kong –

Personal Data

(Privacy) Ordinance

Rule 4

Rule 1

Rule 2

Rule 3

Rule 5

Macau – Personal

Data Protection Act

8/2005

Macau – Personal

Data Protection Act

8/2005

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Malaysia – Personal

Data Protection Act

2010

Malaysia – Personal

Data Protection Act

2010

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Singapore –

Personal Data

Protection Act 2012

Singapore –

Personal Data

Protection Act 2012

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

South Korea –

Personal

Information

Protection Act

South Korea –

Personal

Information

Protection Act Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Macau – registration requirement

Hong Kong – direct marketing provisions

South Korea – Breach Notification

Rule 1

Rule 2

Rule 1

Rule 2

Rule 1

Rule 2

Rule 1

Rule 2

Rationalized Rule Set

Rule A

Rule B

Rule C

Rule D

Rule E

to to

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Accountability Compliance

Nymity Privacy Management Processes Malaysia – Personal Data Protection Act,

2010

Hong Kong Personal Data

(Privacy) Ordinance

Singapore – Personal Data Protection Act,

2012

1 Maintain Governance Structure x x

2 Maintain Personal Data Inventory

3 Maintain Data Privacy Policy x x x

4 Embed Data Privacy into Operations x x x

5 Maintain Training and Awareness Program x

6 Manage Information Security Risk x x x

7 Manage Third-Party Risk x x x

8 Maintain Notices x x x

9 Maintain Procedures for Inquiries and Complaints x x x

10 Monitor for New Operational Practices

11 Maintain a Data Privacy Breach Management Program

12 Monitor Data Handling Practices X

13 Track External Criteria = Law/regulation contains compliance requirements related to the Privacy Management Process

Accountability goes above and beyond compliance

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Accountability Based Approach Leverage EVIDENCE of Accountability to DEMONSTRATE Compliance

One Accountable Privacy Program Many Regulatory Requirements

Hong Kong –

Personal Data

(Privacy) Ordinance

Hong Kong –

Personal Data

(Privacy) Ordinance

Rule 4

Rule 1

Rule 2

Rule 3

Rule 5

Macau – Personal

Data Protection Act

8/2005

Macau – Personal

Data Protection Act

8/2005

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Malaysia – Personal

Data Protection Act

2010

Malaysia – Personal

Data Protection Act

2010

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Singapore –

Personal Data

Protection Act 2012

Singapore –

Personal Data

Protection Act 2012

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

South Korea –

Personal

Information

Protection Act

South Korea –

Personal

Information

Protection Act Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

to to

Evidence of Privacy Management Activities exists throughout the organization (within the Privacy

Program as well as Operations)

Evidence is collected in a centralized repository, structured in line with the 13 Privacy Management

Processes

Evidence of Accountability is mapped to requirements, allowing

the organization to Demonstrate Compliance with laws and regulations

on-demand, supported by Evidence

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

The Nymity Approach to Accountability

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Initial Status – Baselining Privacy Management

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Workbook

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

1. Identify the status of privacy management activities

2. Identify and record owners

Initial Status – Baselining Privacy Management

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Implemented Planned Desired N/A

The activity is already in

place and have sufficient

resources to be

maintained.

The decision has already

been made, resources

allocated, and action may

be underway toward

implementing the activity.

The activity is applicable

or relevant to the

privacy program, but is

not currently

implemented or

resourced (planned).

Not applicable or

relevant to the

organization.

Identify Status of Privacy Management Pg. 12

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Privacy Office Activities Privacy officer responsibilities:

Operational Activities Privacy officer influences/observes:

Privacy Management Activities that are the Responsibility of the privacy office.

Privacy Management Activities that are the responsibility of operational units, including, Marketing, HR, IT, Legal, Procurement, and Product Development.

Identify Owners of Privacy Management Activities

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Examples of Privacy Management Activities

Privacy Office Activities Privacy officer responsibilities:

Operational Activities Privacy officer influences /observes:

Examples: maintain a data privacy policy maintain core training for all

employees maintain a data privacy notice that

details the organization’s personal data handling policies

consult with stakeholders throughout the organization on privacy matters

Examples: maintain an information security

policy maintain technical security

measures (e.g. intrusion detection, firewalls, monitoring)

maintain data privacy requirements for third parties

integrate data privacy into practices for monitoring employees

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

My Experience – Maintain Training and Awareness Program

Workbook Exercise – Initial Status

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

My Experience – Maintain Training and Awareness Program CONT.

Workbook Exercise – Initial Status

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

My Experience – “Maintain Notices”

Workbook Exercise – Initial Status

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

You will have 10 minutes to complete this exercise.

Please refer to the Accountability Workbook Instructions.

Workbook Exercise – You Do It!

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Data as of 4 March 2015

Status of All Organizations

Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)

1 Maintain a data privacy notice that details the organization’s personal data handling policies

79.77% 8.99% 7.87% 3.37%

2 Provide data privacy notice at all points where personal data is collected

66.29% 8.99% 19.1% 5.62%

3 Provide notice in all forms, contracts and terms

58.89% 7.78% 17.78% 15.56%

4 Provide notice in marketing communications (e.g. emails, flyers, offers)

56.67% 8.89% 14.44% 20%

5 Maintain a data privacy notice for employees (processing of employee personal data)

47.19% 13.48% 28.09% 11.24%

6 Provide data privacy education to individuals (e.g. preventing identity theft)

42.23% 7.78% 36.67% 13.33%

7 Provide notice by means of on-location signage, posters

38.88% 4.44% 14.44% 42.22%

8 Maintain scripts for use by employees to explain the data privacy notice

26.67% 7.78% 42.22% 23.33%

Ranking of Implemented "Maintain Notices" Privacy Management Activities

How do you compare?

Nymity Benchmark Study research

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Getting to Accountability: Maximize the effectiveness of your privacy management program

You will be able to definitively:

1. Present Your Privacy Management Status Identify current state including owners of activities

2. Select a Privacy Management Program Strategy

3. Develop a Plan to execute the Strategy

Identify required privacy management activities

Prioritize based on resources and articulate a business case for additional resources

Review

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

PRIVACY MANAGEMENT PROGRAM STRATEGIES

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Module objectives:

• Understand three distinct privacy management strategies

• Learn about the kind of organizations that chose each strategy

• Select one that best suits your organization

Privacy Management Strategies Pg. 19

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Privacy Management Program Strategies

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Core activities are fundamental to the organization for privacy management; they are identified by the privacy office as being mandatory.

Core Activities

Pg. 20

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

• Industry/sector

• Jurisdiction

• Size of organization

• Nature of processing

• Type of personal data

• Organizational risk appetite

Core Activities Vary from One Organization

to the Next

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Examples of Core Privacy Management

Activities

Core activity related to compliance:

• Maintain a data privacy notice that details the organization’s personal data handling policies (PMP8)

• Most laws around the world contain a transparency principle and require notice to individuals.

Core activity related to managing risk:

• Maintain a core training program for all employees (PMP5) • Very few laws explicitly require privacy training, but the privacy office

usually deems it critical to managing the privacy risk that can arise from employees that do not understand their obligations with regard to privacy.

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Elective activities are the activities that go beyond the minimum for compliance and risk management. They are the activities the organization has elected to implement to further embed privacy throughout the organization.

Activities may be Elective (non-Core) because they are not directly tied to privacy compliance or risk such as Hold an annual data privacy day/week (PMP 5), or because they are sophisticated such as Maintain privacy program metrics (PMP 12).

Elective Privacy Management Activities

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Core vs. Elective Activities The following table provides examples of Core and Elective activities that are typical for selected industries/sectors – Page 31

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Choose a Strategy

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

1. Managed Privacy Strategy Seeks to achieve and maintain the level of accountability that meets but does not exceed the minimum requirements necessary to maintain privacy management activities that are fundamental to the organization and are identified by the privacy office as being mandatory.

Pg. 19

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Which organizations choose Managed Privacy Strategy?

• low risk related to the processing of personal data – Sensitivity, complexity, volume of data

• Organizations where processing data is not the core business but more of a support or administrative function

• a new privacy program, where the Managed Privacy Strategy is a starting point

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

2. Advanced Privacy Management Strategy

• Builds on the Managed Privacy Strategy

• Goes beyond the minimum to also incorporate additional privacy management activities throughout the organization (Elective Activities)

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Which Organizations Choose Advanced Privacy Strategy?

• with a high level of privacy risk

• with a culture of compliance, and a low tolerance for compliance risk

• have had a major breach or are subject to enforcement action

• to fully integrate privacy into all product and program development to manage privacy risk

• to make privacy a competitive differentiator or to exceed client requirements

• to prepare for binding corporate rules, APEC, CBPR, or some other optional data transfer mechanisms that goes beyond compliance

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

3. Demonstrate Accountability and Compliance Strategy

Demonstrating accountability: Being able to provide on demand reporting on the status and/or ongoing maintenance of privacy management activities, supported by evidence.

Demonstrating compliance: Being able to contextualize evidence to rules of law.

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Documentation as Evidence

The documentation to be used as evidence already exists:

• Documentation is a by-product of implemented privacy management activities.

• You don’t create evidence just for the sake of demonstrating accountability/compliance. You just identify and log the

evidence that already exists.

Privacy Management

Activities Evidence/ Documentation

Maintain a data privacy

policy

Data Privacy Policy

Integrate data privacy into e-

mail monitoring practices

E-mail monitoring policy and

procedure

Measure comprehension of

data privacy concepts using

exams

System generated report of

data privacy exam scores

Provide notice in all

marketing communications

(e.g. emails, flyers, offers)

Examples of e-mail marketing

communications

Pg. 33

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Demonstrate Accountability using the

Accountability Status Workbook

Populate the Evidence column in the Accountability Status Workbook with all available documentation to show that the activity is in place and maintained

Privacy Management

Activity Status Owner(s)

Core

(Y/N)

Resources

to

Implement

Resources to

Maintain Business Case

Description/

Comment Evidence

Assign accountability

for data privacy at a

senior level (PMP 1)

Implemen

ted

Privacy

Office

Yes % FTE for Chief

Privacy Officer

Role

Ensure

effectiveness of

the privacy

management

program

The Privacy Officer

is John Smith, who

is at a VP level and

reports through

the Chief

Compliance Officer

CPO Job

Description

Org Charts

Privacy

Policy

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Which organizations choose this strategy?

Organizations that have a business need to justify the need to stand ready to demonstrate accountability and/or compliance, including:

• Preparing for a regulatory investigation

• Complying with future legal requirements for demonstrating compliance ex. EU GDPR

• Abiding by the binding corporate rules to monitor compliance and make the results available to data protection authorities on demand

• Meeting expectations of privacy and data protection regulators

• Preparing to self-certify under EU-US Safe Harbor, or preparing for a third party audit

• Lowering the cost of independent assessment by gathering documentation and information in advance and presenting it to auditors

• Maintaining documentation for Trustmarks or accountability agents, ex., organizations participating in the APEC Cross-Border Privacy Rules system

• Desiring a competitive differentiator ex., outsourcing and data processing providers

• Providing meaningful management reporting at various levels

• Demonstrating that they lead by example

Pg. 32

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Choose a Strategy

Managed Advanced Demonstrate Accountability and Compliance

Business Case

Compliance and Risk Management Protect brand reputation

Build culture of privacy Privacy as a competitive differentiator Further reduce privacy risk Prepare for future compliance requirements Regulator activity External press coverage

BCR Safe Harbor GDPR CBPR Prepare for Inspections Management Reporting Audit

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

You will be able to definitively:

1. Present Your Privacy Management Status Identify current state including owners of activities

2. Select a Privacy Management Program Strategy

3. Develop a Plan to execute the Strategy

Identify required privacy management activities

Prioritize based on resources and articulate a business case for additional resources

Review

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

DEVELOP A PLAN TO EXECUTE THE STRATEGY

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

• Learn how to Plan and execute your selected Strategy - Select Privacy Management Activities (PMAs) and prioritize

• Learn how to build a business case for more resources

• Learn about which activities other organizations implemented first and what they are focused on now

Module Objective

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Select activities based on:

• Legal, compliance and regulatory obligations

• Privacy risk

• Business objectives

Prioritize activities based on your Resource Profile:

• Identify your resource profile

• Leverage existing resources

• Prioritize what can be supported

• Prioritize what can be maintained

Developing Your Plan

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Select based on Legal, Compliance and

Regulatory Requirements

• Understanding Expectations from Privacy and Data Protection Regulators

• Understanding the Law

Page 16

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

• Risk of harm to the individual data subject

• Risk of enforcement due to non-compliance or complaints

• Risk of unauthorized use of personal data

• Risk of loss to the organization

• Risk of breach due to stolen data

• Risk of misuse of personal data

• Risk of class-action lawsuit

• And others (see page 48)

Which of these is most important to the organization?

Select based on Risk Page 18

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Align privacy management program strategy with organizational objectives such as:

• Global expansion goals

• Moving to paperless record keeping

• Mergers and acquisitions

• Competitive advantage

• Product innovation

• Cloud computing

• Others?

Select based on Business Objectives Page 18

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Page 23

Common Core Privacy Management Activities

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Workbook Exercise – Selecting Privacy

Management Activities My Experience - “Maintain Notices”

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Workbook Exercise – Selecting Privacy

Management Activities

My Experience - “Maintain Training and Awareness Program”

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Workbook Exercise – Selecting Privacy

Management Activities

My Experience - “Maintain Training and Awareness Program” cont.

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Workbook Exercise – You Do It!Determine which PMA’s are core in your workbook and identify a business case for your Core desired activities

Identify which activities are Core and which are Elective (Pg. 20)

• Core - Fundamental to privacy management; they are identified by the privacy office as being mandatory.

• Elective – Activities that are not core, but are applicable to the organization. Elective activities go above and beyond the minimum for compliance and risk management.

Identify the Business Case (Pg. 27)

• For PMAs that are desired (resources have not been allocated), note the business case. For example, compliance with laws and regulations, managing risk, alignment with organizational objectives, or implementing best practices.

Revisit “Desired” Activities because if there is no business case, it is N/A

Note: Some of you may want to change your previous selections based on your new understanding of Core

You will have 30 minutes to complete this exercise.

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Review Getting to Accountability: Maximize the effectiveness of your privacy management program

You will be able to definitively:

1. Present Your Privacy Management Status Identify current state including owners of activities

2. Select a Privacy Management Program Strategy 3. Develop a Plan to execute the Strategy

Identify applicable privacy management activities Prioritize based on resources and articulate a business case for

additional resources

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Prioritize Based on Resources

I. Determine your resource profile

II. Leverage existing resources

III. Prioritize what can be supported

IV. Prioritize what can be maintained

Page 18

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Identifying Resources in Your Organization

People Processes Technology Tools Employees – full or

partial headcount

Buy in or support from

Executives/ Senior

Management

Other departments or

groups such as

Internal Audit,

Compliance, ERM

Shared Services (Info

Sec, IT, Legal,

Procurement)

External Consultants/

Advisors/ Auditors/

Service Providers

Workflows for

approval/sign-off

Monitoring/

Reviewing controls or

mechanisms

Communication/

Meetings

Training/knowledge

sharing

Escalation paths

File/document sharing

platforms

Collaboration tools

Information

Security/Data

Protection controls

ERP Systems

Ticketing Systems

E-Learning System

Compliance research

subscriptions

Subscription

newsletter to stay

informed

Templates and

samples

Privacy management

systems

Privacy/ Risk/

Compliance Reporting

Software

PIA solutions

Rationalized rules

table generators

Benchmarking

solutions

Pg. 13

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

II. Leverage Existing Resources

Rely on privacy management activities that are already partially or fully

implemented.

Example:

Human resources department is already maintaining policies and

procedures for monitoring employees

Privacy office has buy-in from human resources

Therefore, relatively low effort to implement and maintain the activity

Integrate data privacy into practices for monitoring employees (PMP 4)

since the structure is already in place.

Page 18

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

III. Prioritize What is Supported

Support from the operational and business units is critical to the success of the

program - lack of it can present an obstacle to success.

Example:

• Maintain policies/procedures for secondary use of personal data (PMP 4)

may be influenced by the privacy office but owned by an operational unit such

as marketing

– If the privacy office tries to implement the activity without the support of

marketing, it will likely not be adopted

– Even though the activity is important to protecting data, it would not be

implemented effectively and would not be the best use of limited

resources

Privacy office should prioritize activities that are supported by key stakeholders.

Page 18

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

IV. Prioritize What Can Be Maintained

Accountability is an ongoing state – not a point in time status. Implement

privacy management activities that can be maintained based on the ongoing

resources available.

Example:

To implement the activity Maintain a Data Privacy Policy (PMP 3)

– Initial effort requires medium resources

– Policy must be socialized with key stakeholders in order to achieve buy in

and improve the chances of adoption (ultimately it should be approved be

executive leadership)

– Publishing or issuing the policy is just the first step

• It must then be reviewed on a periodic basis

• Not keeping it up-to-date will result in increased privacy risk

Page 18

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Workbook Exercise – Identify Resources

My Experience – “Maintain Notices”

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Workbook Exercise – Identify Resources

My Experience – Maintain Training and Awareness Program

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

You Do it

Columns F and G: Identify the resources required to implement the privacy management activity, and to maintain it. Resource generally fall into the categories of people, processes, technology and tools, e.g. organizational support or buy-in, existing processes or technologies, privacy management tools.

People Processes Technology Tools Employees – full or

partial headcount

Buy in or support

from Executives/

Senior Management

Other departments

or groups such as

Internal Audit,

Compliance, ERM

Shared Services (Info

Sec, IT, Legal,

Procurement)

External

Consultants/

Advisors/ Auditors/

Service Providers

Workflows for

approval/sign-off

Monitoring/

Reviewing controls

or mechanisms

Communication/

Meetings

Training/knowledge

sharing

Escalation paths

File/document

sharing platforms

Collaboration tools

Information

Security/Data

Protection controls

ERP Systems

Ticketing Systems

E-Learning System

Compliance research

subscriptions

Subscription

newsletter to stay

informed

Templates and

samples

Privacy management

systems

Privacy/ Risk/

Compliance

Reporting Software

PIA solutions

Rationalized rules

table generators

Benchmarking

solutions Pg. 13

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Wrap-Up

Questions, Comments and Future Accountability Research

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

You will be able to definitively: 1. Present Your Privacy

Management Status Identify current state including

owners of activities

2. Present a Privacy Management

Program Strategy

3. Develop a Plan to execute the Strategy Identify applicable privacy

management activities Prioritize based on resources

and articulate a business case for additional resources

Recap

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Copyright © 2015 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of Nymity Inc. unless otherwise indicated. Reproduction, modification, transmission, use or quotation of any content, including text, images, photographs etc., requires the prior written permission of Nymity Inc., 366 Bay Street, Suite 1200, Toronto, Ontario, Canada M5H 4B2.

Please feel free to contact us with any questions or comments concerning this workshop at [email protected].

Thank You!

Please take a moment to fill out the feedback forms.

If you wish to learn more about Nymity products or wish to receive a free Benchmark report, please fill the Demo

Request Form.